Macro-4 Standard IO Contract Rollback Section — R2-B2 (2026-06-19)
Macro-4 Standard IO Contract Rollback Section — R2-B2 (2026-06-19)
Date: 2026-06-19 · Workstream: R2-B2-MACRO-4-STAGING-WORKBENCH-IO-CONTRACT-TD-ENTRY-GATE-2026-06-19 (Deliverable 25 of 90) · Editorial revision: rev1
Class: IO contract rollback section · READ-ONLY · NON-ENACTING · NON-AUTHORIZING · NO write performed.
Metadata convention. Editorial revision (rev1) only. Storage revision/
content_lengthauthoritative at read time.
0. Status and non-authorization
STATUS: PASS — engineering / design-only. The rollback_surface section: the per-run rollback/delete unit and its honest limits. Engineering PASS ≠ authority PASS. Default: HOLD.
1. Purpose
Define the rollback contract so a block can be undone as one bounded unit, with downstream effects surfaced honestly.
2. Sources / evidence read
Inspect-producer §10 (S8 rollback unit + downstream-certify); TD-readiness §9 (S8 PARTIAL; HOLD-2); pilot-slice staging IO contract §10. Main process, no reader-agents.
3. Accepted baseline (carried)
B2's rollback unit = one producer run (swap channel, keep contract). In staging, deletion is the rollback (no production rollback to perform). HOLD-2 is OPEN: there is no atomic end-to-end birth-certify promote transaction today; fn_iu_enact (IU lineage) is distinct and must not be assumed to cover birth-certify.
4. Evidence / analysis — rollback section shape
| Element | Requirement |
|---|---|
| Unit | one bounded run = one rollback/delete unit |
| Staging-simple | in staging there is no production rollback (it never wrote production) |
| Downstream-certify | in production, completing all three inspect_* triggers B4 auto-certify; the unit must account for whether/how to unwind a triggered certify (Owner-gated, future TD) |
| Snapshot | a Điều 39 pre-batch snapshot is a candidate pattern to evaluate, not a script to copy |
| No script here | no DELETE/UPDATE/migration/command sequence written |
5. Contract / requirement / matrix / result
If a clean per-run rollback unit cannot be defined (including the downstream-certify interaction), the design is not authorized for write — fail-closed. The rollback mechanism is FUTURE_TECHNICAL_DESIGN_REQUIRED.
6. Owner-gated future work
Defining/executing the rollback mechanism (incl. downstream-certify) is Owner-gated; forbidden now.
7. What remains unresolved
HOLD-2 OPEN (no atomic birth-certify-promote txn); the downstream-certify unwind is undecided.
8. Ready for GPT/Codex review
Yes — Codex should confirm the rollback section surfaces the downstream-certify subtlety and writes no script.